Beta 3 release notes:
"Known Issues in macOS High Sierra 10.13 beta
The following are known to exist in this release.
@here I have a question in reference to the the release name of the high sierra when it is released. I am trying to get ahead of the game and apply the restricted software block through JAMF while we test to make sure everything work in our environment. Our employees are day one adopters and i want to avoid problems.
It might be interesting to use native virtualization for macOS to create Hi Sierra lab environments for testing all sorts of things - imaging etc.
Has anyone experienced issues with system extension blocking (http://blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/) breaking VMWare, AV or other enterprise products? We did a test and VMWare and our AV does not work without IT telling the user to specifically allow the software to load kernel extensions in System Settings. That might be okay for VMWare, but we'd rather not give users the option to run AV. We're looking for a solution to deploy our enterprise software at scale without physically touching each individual endpoint to add the team ID with the spctl kext-consent command in recovery mode. Anyone else worried about this?
@dmeehan Lots of folks are worried about this. Apple has been trying to point developers away from using Kernel Extensions for some time, though.
Their note on Enterprise App Distribution is hilarious, as if that process is feasible in any enterprise environment.
There's not a magical workaround for this that I'm aware of.
Best to get with your vendors and query about their plans for a compatible agent for this release that invalidates the need to perform those steps. See this post.
When I downloaded the 10.13. B1 version it did not update the FS to APFS, so not much different than before, other than a few nice features like the lock screen. How did you all get the APFS to perform the update to use the full extent of this new FS?
Hoping JAMF will be doing some nifty scripts and the such to allow us to lock a computer without losing the ability to see it and its associated IP for tracking purposes.
So, since I'm only commenting on items that have gotten public attention and/or 3rd party products, I'm pretty sure I'm good with NDA.
Re: Lock Screen
The Keychain Access application no longer contains the keychain.menu menu extra. This is irrelevant, given the Apple Menu item.
This is a good and remarkable thing since we no longer need to create a policy or profile to provide this functionality to our users.
Other Items I've found...
Canon printer drivers
If you have to install Canon printer drivers, note that the packages Canon issued last year have an OS version check built into the package that will cause the installation to fail where OS = 10.13. I have also gotten reports of functionality issues that I'm still waiting for confirmation test data on.
Symantec Endpoint Protection
The extant version fails to install. I have an issue open with Symantec.
Contrary to some sysadmins' opinions, it is not Apple's job to comply with the 3rd-party developer, rather it's the other way around.
Lean hard on your vendors and internal developers to...
participate in the Apple Developer Program
follow Apple best practices and development guidelines
deliver compatible and Apple best practice and guideline-compliant software before the OS is released
I tell my devs & vendors that zero-day support is considered late. I want to see a guaranteed compatible/supported release within 48 hours of Apple's GM/release candidate going public, and preferably a beta before then.
We are on a roll @milesleacy
General advice... Contrary to some sysadmins' opinions, it is not Apple's job to comply with the 3rd-party developer, rather it's the other way around. Lean hard on your vendors and internal developers to... participate in the Apple Developer Program follow Apple best practices and development guidelines deliver compatible and Apple best practice and guideline-compliant software before the OS is released I tell my devs & vendors that zero-day support is considered late. I want to see a guaranteed compatible/supported release within 48 hours of Apple's GM/release candidate going public, and preferably a beta before then.
We enable vendors bad behavior, and it needs to stop. We have to educate our organization if they want to support Apple they have to play by Apple rules and Apple timelines and only support vendors (like Jamf) that do.
My sound bite is, We all have to move at Apple speed, not "insert your crapy vendor here" speed.
For those of you who have installed High Sierra and converted your boot drive to APFS, I have a few questions:
1. About 30 minutes to install High Sierra, another 30 minutes to convert HFS+ to APFS for a 1 TB SSD in a MacBook Pro (15", Late 2011).
2. The APFS conversion happens after the first restart during the install process, so you are sitting with the grey apple screen, a progress bar, with some small text at the bottom giving an estimated time of completion, and an indication as to whether it is upgrading the OS or converting HFS+ to APFS.
3. Haven't used FileVault, thinking about changing that after High Sierra gets released.
As I understand it upgrading HDD's to APFS is not currently supported in the beta OS installers (they only provide the option to upgrade to APFS for SSD's), but should be by the time High Sierra is released. I believe the longer time it would take to upgrade a HDD, versus the need to help developers get up and running testing their apps on the newer OS, to be the reason for this.
@wakco Was this a clean install or was it an upgrade from Sierra? Waiting for the drive to convert to APFS might be a major obstacle for us to minimize downtime when doing upgrades. I guess there's still plenty of time before it hits the streets as a gold release, and then I'll most likely wait until 10.13.2 before I start to dig in with my own testing of the upgrade and app compatibility. Thanks for the input.
I installed the 10.13 high sierra beta (17A330h) on a test 2015 MBPro that was running macOS Sierra 10.12 (this computer had no connection to being enrolled in the Casper system, it was totally separate).
the computer has 3 accounts and after the 10.13 beta completed installation I am only able to login with the account that was used to install the beta. I go into system preferences, users & groups and do not have the option to 'reset' the password on the other 2 accounts.
has anyone else encounter this issue?
in 10.12 i am able to choose a different user account and i get the 'reset password' option, in 10.13 i don't get this option to 'reset password' on other accounts.
disk utility shows the volume is AFPS !! I did not have to choose this during the install process, i just walked away and let the installation do its stuff.
I had issues with the computer hanging after being bound to AD previously. So I downloaded Beta 6 and it doesn't hang anymore, but I cannot login with mobile accounts. I get the following error:
I also noticed my drive was converted to APFS after getting the prompt to upgrade in the previous beta. It looks like it's no longer an option.
I just saw this update from Apple regarding this issue (SKEL): https://support.apple.com/en-us/HT208019. It sounds like MDM is the answer. Does that mean with Casper we can manage our devices using MDM to avoid the kextpocalypse (blog.eriknicolasgomez.com/2017/07/25/Kextpocalypse-High-Sierra-and-kexts-in-the-Enterprise/) issue?
Is anyone having an issue logging into a 10.13 beta 9 machine with a domain account ? My 10.13 Mac is bound to our AD but we noticed that we cannot login using an account that has a home drive mapped in AD, remove the mapping and the account logs in fine.
Getting the same screen as @PhillyPhoto
I feared I was the only one having issues to log in with AD accounts, but I see that this persists in beta 9.
Has anyone with a GM version tried to bind to AD and log in as network users?
Also, I tried to use
sudo dscl . delete /Users/olduser
to delete a local account and I get a
DS Error: -14120 (eDSPermissionError)
that I wasn't getting on 10.12
Might it be that SIP now blocks this command from deleting user accounts?
Do you have Read/Write permissions on the folder on your Home Drive Server? Windows and AD will map it to anything and bypass those permissions even if you don't have ACTUAL rights on the folder.
To fix this, give your user account permission on your Home Server here (Modify, List, Read):
SYS Logs while login in:
Sep 29 00:08:44 skullmac kcm: DEPRECATED USE in libdispatch client: Setting timer interval to 0 requests a 1ns timer, did you mean FOREVER (a one-shot timer)?
Sep 29 00:08:45 skullmac authorizationhost: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://USDEF-KT0055/SKULL5%%22, homedir=/home/skull5, name=skull5 ) returned 2
any update about this ?
Do you have a special character as the last in the path for your home drives ?
Here is what I saw in my situation :
Sep 15 13:40:55 L-AC0256 authorizationhost: ERROR | -[HomeDirMounter mountNetworkHomeWithURL:attributes:dirPath:username:] | PremountHomeDirectoryWithAuthentication( url=smb://NJHomeDrive/X23556%%24, homedir=/home/x23556, name=x23556 ) returned 2
The $ is incorrectly translated to "%%24" in 10.13. You can also see the "%%24" in the HomeDirectory attribute in Directory Editor for affected accounts in 10.13.
For me, unchecking the UNC box allows us to login and complete our testing, we will still wait for an official fix from Apple as we opened a ticket for this issue. Enterprise Connect maps the drive so we get the mapping that way in a pinch.
@PhillyPhoto we have the same setup as you do, we don't have issues with mapping network drives; but as you may already know the issue is when the user tries to change their AD password, even using the Enterprise Connect App it doesn't work (rumor is the next patch will fix that "10.13.1")
I'm just wondering if you are having the same password issue.
Hi @jconte We are facing similar issues here. Exactly same error message. Did you find something around it?
For us its not about changing the password but we get during logging in. A user who is logging in for the first time on a Mac gets this. Have you tried deleting home folder and logging in as a new user?
We get on all Macs, for all users.
macOS doesn't gracefully handle issues with the home directory; it just fails the login. Our Windows estate has a different mechanism in place for mapping user shares, so the homeDirectory attribute SHOULD be blank in our case. Some users tested using that field a long time ago and it wasn't cleared, and one of our configs for binding checked the box to mount that share. Seems to handle a blank attribute fine, but if there's a bad path (or one you don't have permissions to), the login just seems to fail without much of a helpful indication as to why.
Edit: meant to say this has been true since before High Sierra.
Well, it seems that today's update to 10.13.1 fixed the UNC path issue and now I am able to bind the machine as expected (with network home locations) without a problem.
One less thing to worry about!